| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2011 18:16:35 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Tom Herbert <therbert@...gle.com>
Cc: davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH 4/4] rps: Inspect GRE encapsulated packets to get flow
hash
Le jeudi 19 mai 2011 à 08:39 -0700, Tom Herbert a écrit :
> Crack open GRE packets in __skb_get_rxhash to compute 4-tuple hash on
> in encapsulated packet. Note that this is used only when the
> __skb_get_rxhash is taken, in particular only when the device does
> not compute provide the rxhash (ie. feature is disabled).
>
> This was tested by creating a single GRE tunnel between two 16 core
> AMD machines. 200 netperf TCP_RR streams were ran with 1 byte
> request and response size.
>
> Without patch: 157497 tps, 50/90/99% latencies 1250/1292/1364 usecs
> With patch: 325896 tps, 50/90/99% latencies 603/848/1169
>
> Signed-off-by: Tom Herbert <therbert@...gle.com>
> ---
> net/core/dev.c | 22 ++++++++++++++++++++++
> 1 files changed, 22 insertions(+), 0 deletions(-)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 0c83494..7799bbd 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -2552,6 +2552,28 @@ again:
> }
>
> switch (ip_proto) {
> + case IPPROTO_GRE:
> + if (pskb_may_pull(skb, nhoff + 16)) {
> + u8 *h = skb->data + nhoff;
> + __be16 flags = *(__be16 *)h;
> +
> + /*
> + * Only look inside GRE if version zero and no
> + * routing
> + */
> + if (!(flags & (GRE_VERSION|GRE_ROUTING))) {
> + proto = *(__be16 *)(h + 2);
> + nhoff += 4;
> + if (flags & GRE_CSUM)
> + nhoff += 4;
> + if (flags & GRE_KEY)
> + nhoff += 4;
> + if (flags & GRE_SEQ)
> + nhoff += 4;
> + goto again;
> + }
> + }
> + break;
> default:
> break;
> }
Hi Tom
For sure it helps if this machine is the final host for these packets.
If I am a firewall or router [and not looking into GRE packets], maybe I
dont want to spread all packets received on a tunnel to several cpus and
reorder them when forwarded.
Maybe we need to add a table, so that upper layer (GRE or IPIP tunnels)
can instruct __skb_get_rxhash() that we want to deep inspect packets.
1) Say we keep rxhash first evaluation be the one we have today.
2) Do a hash lookup in a new table to tell if upper layer handled a
previous packet for this first level flow and want more inspection.
3) table could contains 'pointers' to decoding function, that would
recompute a new rxhash function.
4) Find a way to "clean the table", garbage collect or expirations times
can do.
This way we can add stuff in GRE and IPIP modules [and other kind of
tunnels], without layer violations ?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists